Dashlane’s 2017 Password Power Rankings

As a password manager, we frequently emphasize the importance of creating strong passwords to protect your data on online accounts, but are websites holding up their end of the bargain?

In our latest study, Dashlane researchers examined the password policies of 40 popular consumer and enterprise websites against five criteria. Today, we’re sharing the results in our 2017 Password Power Rankings.

Key Findings

Share this Image On Your Site

Dashlane researchers also made note of some exceptional observations:

Researchers were able to create passwords using nothing but the lowercase letter “a” on several notable sites, including Amazon, Dropbox, Google, Instagram, LinkedIn, Netflix, Spotify, Uber, and Venmo.

Researchers also identified six websites that do not have policies to prevent brute-force attacks, including Apple, Dropbox, Google, Twitter, Venmo, and Walmart.

Researchers successfully created an account on Netflix and Spotify using “aaaa”.

Best Practices

Online Security Best Practices for Consumer/Enterprise Sites Owners and Developers:

Make 8-character passwords the minimum

Require alphanumeric & case-sensitive passwords

Provide a meter or color-coded bar to confirm password length and strength

Use a password manager to help generate, store, and manage your passwords

Methodology

From July 5 – July 14, Dashlane researchers examined 37 popular consumer websites and 11 popular enterprise websites against five password security criteria:

Does the website require users to have passwords that are 8 or more characters?

When creating a new account on each website, Dashlane researchers attempted to create passwords less than eight characters irrespective of the sites’ stated minimum password requirements.

Does the website require users to have passwords with a combination of letters, numbers, and symbols?

When creating a new account on each website, Dashlane researchers attempted to create passwords with all letters (“aaaaaa”) or numbers (“111111”).

Does the website provide an on-screen password assessment meter to show users how strong their password is?

When creating a new account on each website, we wanted to see if the site provided any notification, such as a meter or color-coded bar, they were credited as providing an assessment. Sites that only provided confirmed password length or where requirements were met did not receive credit.

Dashlane researchers attempted to log in using incorrect passwords. If thetester was able to continue entering incorrect credentials after 10 attempts without receiving any security mechanism, such as a CAPTCHA code or the account automatically locking, the site did not receive credit.

Does the website have support for 2-Factor Authentication?

A site received a point for each criterion they performed positively, for a maximum, and top score, of 5. A score of 3/5 was deemed as passing and meeting the minimum threshold for good password security.